MDN ASSOCIATIVE GROUP

(MARIE DE NAZARETH - PRIER MARIE DE NAZARETH - FONDS DE DOTATION - MDN PRODUCTIONS -1000 RC)

PERSONAL DATA PROTECTION AND SECURITY POLICY

The processing of personal data is strictly necessary for the accomplishment of the missions of our MDN association group (Marie de Nazareth, Prier Marie de Nazareth, Fonds de dotation Marie de Nazareth, MDN productions, and 1000 RC).

Consequently, the protection of this data plays a key role in our daily commitments to our donors, legatees, subscribers, readers, associative and commercial partners, our employees and volunteers and, more generally, the people to whom we address ourselves.

Accordingly, the present document bears witness to our commitment to implement appropriate technical and organisational measures when collecting and/or using the data of persons concerned by In Fine, in the context of the activities of the MDN association group.

Applicable regulations

The MDN associative group undertakes to comply with the legal and/or regulatory provisions in force, applicable to its processing of personal data, and in particular the European Data Protection Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 applicable as of 25 May 2018, and Law no. 78-17 of 6 January 1978, as amended, relating to information technology, files and freedoms.

In addition, the MDN Group follows the recommendations of the French supervisory authority, the CNIL, on data protection.

Definitions

Data processing: Any operation or set of operations involving such data, regardless of the process used, and in particular recording, organising, storing, adapting or modifying, retrieving, consulting, using, communicating by transmission, dissemination or any other form of making available, combining or interlinking, as well as blocking, erasing or destroying.

Personal data: Personal data is any information relating to a natural person who is identified or can be identified, directly or indirectly, by

by reference to an identification number or to one or more factors specific to that individual. To determine whether a person is identifiable, it is necessary to consider all the means of identification available to or accessible by the data controller or any other person.

CNIL: Commission Nationale de l'Informatique et des Libertés (French Data Protection Authority)

Datacontroller: the natural or legal person, public or private, or the department, which determines, alone or with others, the purposes and means of the processing.

Sub-processor: the natural or legal person, public or private, or the service which processes personal data on behalf of the data controller.

Data Protection Officer

In order to comply with the new European regulations on data protection (RGPD), and to meet the requirement of Accountability, the MDN associative group has appointed and is supported by a Data Protection Officer. The Data Protection Officer's role is to inform and advise the MDN associative group, to ensure compliance with the applicable regulations and, in particular, to ensure that the rights of individuals are respected. He is also the main contact for the CNIL.

For any questions relating to data protection

Write to Sandra Holvoet

dpomariedenazarethcom

or

Data Protection Officer _ Groupement associatif MDN _ 124 rue du Billemont 59223 RONCQ

Data processed

The personal data processed by the MDN group of associations is :

• Data from our donors/ testators
• The data of prospects solicited during our donation campaigns
• Data from our Internet visitors
• Data from our subscribers to periodicals
• Data from our book buyers
• Information about our newsletter subscribers
• Data from our employees and volunteers
• Data from our suppliers and partners
• Data from users of social networks

This data is strictly necessary for our internal operations or our business to enable us to fulfil our mission.

For example, we may process :

For our donors/testers:

• Data relating to identity, such as title, surname and first name
• Contact details such as postal address, email address, landline or mobile telephone numbers
• Data relating to donations/legacies (amount, date, tax receipt, means of payment)

For Prospects:

• Identity-related data such as title, surname, first name
• Contact details such as postal address, email address, landline or mobile telephone numbers, etc.

For Internet visitors:

• Identity-related data such as title, surname, first name
• Data relating to contact details such as postal address, email address, landline or mobile telephone numbers
• Data collected using cookies

For subscribers to periodicals and book buyers

• Identity-related data such as title, surname and first name
• Data relating to contact details such as postal address, email address, landline or mobile telephone numbers
• Data relating to means of payment

For newsletter subscribers:

• Your email address
• Your subscription and unsubscription dates

For employees and volunteers:

• Data relating to identity such as title, surname, first name, date and place of birth, etc.
• Contact details such as postal address, email address, fixed or mobile telephone numbers
• data relating to family situation, professional situation, working hours, remuneration, bank details, NIR, tax rate, CV and covering letter
• medical data

For suppliers/partners:

• Identity-related data such as title, surname, first name, job title

• Contact details such as postal address, email address, landline or mobile telephone numbers

For users of social networks:

• Data relating to their name or pseudonym
• Their photo, if any
• Data that users of social networks choose to communicate

Purposes of processing

The MDN group of associations uses data for specific, explicit and legitimate purposes.

In particular, your data may be processed for :

• Managing your donations or legacies
• Communicate about our missions/ books and periodicals
• Appeal for donations to finance the missions of our MDN Associative group
• Facilitating the use of our websites for our visitors and responding to their requests for contact or information
• Managing the dispatch of our periodicals and books
• Managing the distribution of our newsletters
• Managing our staff and volunteers
• Managing our relationships with our charitable and commercial partners
• Managing our social networks
• Organising events to raise awareness of our cause
• Carrying out statistical studies
• Responding to requests to exercise the rights of people affected by the use of their personal data

The legal basis for processing

We ensure that each of our processing operations is carried out in compliance with its legal basis, whether this involves :

• The performance of a contractual relationship
• Obtaining consent
• Responding to our legitimate interests
• The law

Recipients of personal data processed

Your personal data is only communicated to authorised and specified recipients.

These recipients may have access to your data within the limits necessary to achieve the purposes described above.

The following may be recipients:

• The MDN association and its authorised staff or volunteers
• Service providers and sub-contractors carrying out services on behalf of the MDN consortium
• Partners in the charitable sector of the MDN voluntary grouping if you have not objected to this
• MDN's commercial partners, if you have consented (for your e-mail address) or if you have not objected (for your postal address).

Retention of personal data

Our donors' data is kept :

5 years for sending new communications or canvassing

6 years for tax receipts

The data of our testators is kept: until the person concerned requests its deletion.

The personal data of prospective customers (sent by partners) is only kept for the duration of the solicitation operation. Unless the prospect responds positively to solicitations from the MDN association by donating, subscribing to magazines or buying a book.

The personal data of our book buyers or magazine subscribers is kept for 5 years after the last purchase or the end of the subscription.

Personal data of Internet users,

Via the contact form, the data supplied may only be kept for the time required to process the request.

Data relating to cookies is kept for 13 months.

Transaction data is kept :

• 10 years for accounting records
• Payment data is kept for the duration of the transaction.

The data of our newsletter subscribers is kept for the duration of the subscription and then for a period of 3 years after unsubscribing.

Data on employees and volunteers is mainly kept for the duration of their employment or volunteer period + 5 years. As there are many particularities, they can consult the MDN group's Human Resources processing register for more details.

Contact data from our suppliers/partners is kept for the duration of the commercial relationship + 3 years. Accounting documents are kept for 10 years and contracts for 5 years.

Social network user data is stored in accordance with the terms and conditions of use of the social network concerned. Certain data may be deleted by the MDN Group's moderation department if this proves useful.

The data retention/archiving and destruction policy provides further information on this point.

Transfer of personal data outside the European Union

The MDN Group does not transfer any personal data to any country outside the European Union.

Processing of cookies

Pursuant to the ePrivacy Directive, Internet users must be informed and give their consent before certain cookies are stored and read.

In this case, the websites of the MDN association use two types of cookies:

• Technical cookies necessary for browsing our site and accessing the various products and services. In particular, they enable the presentation of the site to be adapted to your terminal's display preferences (language used, display resolution). These cookies cannot be deactivated or configured, otherwise you will no longer be able to access the site and/or its services.
• Google Analytics-type audience measurement cookies. These cookies are used :

• To measure the audience for the various content and sections of our site and mobile applications in order to evaluate and better organise them.
• If necessary, to detect navigation problems and consequently improve the ergonomics of our services.

These cookies only produce anonymous statistics and traffic volumes, to the exclusion of any individual information. The lifetime of these audience measurement cookies does not exceed 13 months.

Commitments of the Marie de Nazareth association

The Groupement associatif MDN undertakes to take into account, with regard to its tools, products, applications or services, the principles of personal data protection by design and data protection by default.

Data security

MDN implements all appropriate technical and organisational security measures in order to guarantee a level of security appropriate to the risk, including, among other things, as required:

• Means to guarantee the confidentiality, integrity, availability and constant resilience of processing systems and services;
• Means to restore the availability of and access to personal data within an appropriate timeframe in the event of a physical or technical incident;
• A procedure for regularly testing, analysing and evaluating the effectiveness of technical and organisational measures to ensure the security of processing.

Furthermore, in the event of a personal data breach, the MDN association undertakes to notify the competent supervisory authority of the breach in question as soon as possible and if possible no later than 72 hours after becoming aware of it, unless the breach in question is unlikely to result in a risk to the rights and freedoms of natural persons. If the violation presents a high risk for the rights and freedoms of an individual, the MDN association will communicate the violation to the person concerned as soon as possible.

All of these measures are documented and recorded in the data processing register.

In addition, the MDN consortium requires that any subcontractors it calls upon provide the same appropriate guarantees to ensure the security and confidentiality of the personal data it entrusts to them.

Individual rights

You have rights concerning the processing of your personal data, which may be exercised under the conditions laid down by the regulations in force, namely:

• The right to be informed in a comprehensible and easily accessible manner about the processing of your data.
• The right to access your data
• The right to rectify and obtain the modification of your data that may be inaccurate or incomplete
• The right to erasure of your data, unless we have legal or legitimate grounds to retain it
• The right to object to processing where this is based on the legitimate interests of the data controller
• The right to object, at any time and at no cost, without having to give reasons, to your data being used for commercial prospecting purposes
• The right to limit the processing of your personal data
• The right to the portability of your data where processing is based on consent or the performance of contracts and where processing is carried out using automated processes

• The right to withdraw your consent at any time where the processing of your personal data is based on your consent
• The right to give specific or general instructions concerning the retention, erasure and disclosure of your personal data, applicable after your death
• The right to lodge a complaint with the CNIL

If you have any questions about exercising these rights, you can contact the Data Protection Officer of the MDN group of associations as follows:

• By e-mail to dpomariedenazarethcom
• By post: Data Protection Officer _ MDN Group _ 124 rue du Billemont 59223 RONCQ

Competent authority

You have the right to appeal to the Commission Nationale de l'Informatique et des Libertés (French Data Protection Authority) in the event of a breach of the regulations applicable to the protection of personal data, in particular the RGPD.

Registers and documentation

The MDN associative group also declares that it keeps a register of the data processing that it carries out, including:

• The name and contact details of the data controller and data protection officer
• The purposes of the processing
• A description of the categories of data subjects and the categories of personal data,
• The categories of recipients to whom the personal data is disclosed
• Any transfers of data to a third country or to an international organisation, including the identification of the latter
• Retention periods.

Documentation attesting to RGPD compliance is also kept.

Personal Data Protection Policy validated on 29 November 2023.